[Devbox] Reinstall and turn it into a usable desktop.

Signed-off-by: jmug <u.g.a.mariano@gmail.com>

arst

Signed-off-by: jmug <u.g.a.mariano@gmail.com>

.sops.yaml

@@ -3,6 +3,7 @@ keys:
   - &hosts:
     - &nixlap age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp
     - &asahi age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5
+    - &devbox age1208zkkd9hh8n6v9zn6w75x9ajxd798kc4cv53d6qhkx55juflumquyh3ge
 creation_rules:
   - path_regex: secrets.yaml$
     key_groups:
@@ -10,3 +11,4 @@ creation_rules:
       - *jmug
       - *nixlap
       - *asahi
+      - *devbox

flake.nix

@@ -97,7 +97,7 @@
       devbox = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {
-          inherit inputs;
+          inherit inputs ghostty;
         };
         modules = [
           ./hosts/devbox/configuration.nix

hosts/common/core/sops.nix

@@ -8,6 +8,27 @@
     defaultSopsFile = ../../../secrets.yaml;
     validateSopsFiles = false;
 
+    # To bootstrap a new device you need to ensure
+    # that the ssh service was enabled at least once
+    # (if you don't plan to keep it enabled permanently)
+    # then you need to derive an age public key from the
+    # ssh key by using:
+    #
+    # $ nix-shell -p ssh-to-age
+    # $ sudo ssh-to-age -i /etc/ssh/ssh_host_ed25519_key.pub
+    #
+    # This will give you the public key that you must put under .sops.yaml
+    # at the root of this repo.
+    #
+    # You'll then need to bootsrap the environment, so copy the secret key from
+    # cold storage to ~/.config/sops/age/keys.txt
+    # chomd it to 755
+    #
+    # The run:
+    # $ nix-shell -p sops
+    # $ sops updatekeys secrets.yaml
+    #
+    # You're bootsrapet and good to go!
     age = {
       sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
       keyFile = "/var/lib/sops-nix/key.txt";

hosts/devbox/configuration.nix

@@ -1,7 +1,7 @@
 # Edit this configuration file to define what should be installed on
 # your system. Help is available in the configuration.nix(5) man page, on
 # https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, ghostty, ... }:
 let
   pubKeys = lib.filesystem.listFilesRecursive ../common/keys;
 in
@@ -9,6 +9,9 @@ in
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      # Sops and other stuff.
+      ../common/core
+      ../common/optional/yubikey.nix
     ];
 
   # Use the systemd-boot EFI boot loader.
@@ -16,9 +19,26 @@ in
   boot.loader.efi.canTouchEfiVariables = true;
 
   nix.settings.experimental-features = [ "nix-command" "flakes" ];
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
   virtualisation.docker.enable = true;
 
+  # Bluetooth.
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+  services.blueman.enable = true;
+
+  # WiFi
   networking.hostName = "nixbox"; # Define your hostname.
+  networking.wireless = {
+    enable = true;
+    secretsFile = config.sops.secrets."wireless.env".path;
+    networks = {
+      "UG_LivingRoom_5G" = {
+        pskRaw = "ext:home_psk";
+      };
+    };
+  };
 
   time.timeZone = "America/Los_Angeles";
 
@@ -49,6 +69,80 @@ in
   users.users.root = {
     shell = pkgs.zsh;
   };
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+  };
+
+  environment.systemPackages = with pkgs; [
+    keyd
+    htop
+    # Misc utils
+    ripgrep
+    fzf
+    unzip
+    nautilus
+    # Terminal
+    ghostty.packages.x86_64-linux.default
+    kitty
+    # Theming
+    palenight-theme
+    # Lock screen
+    hyprlock
+    # Idling
+    sway-audio-idle-inhibit
+  ];
+
+  fonts = {
+    fontDir.enable = true;
+    packages = with pkgs; [
+      nerd-fonts.bigblue-terminal
+      nerd-fonts.fira-code
+      nerd-fonts.caskaydia-cove
+    ];
+  };
+
+  security.pam.services.hyprlock = {};
+  programs.hyprland = {
+    enable = true;
+    xwayland.enable = true;
+  };
+  environment.sessionVariables = {
+    # Enable wayland support for chromium/electron apps.
+    GDK_BACKEND = "wayland";
+    NIXOS_OZONE_WL = "1";
+    MOZ_ENABLE_WAYLAND = "1";
+    QT_QPA_PLATFORM = "wayland";
+    # This caused issues with walker, but might be some other
+    # issue with wayland/hyprland, so will leave it here for now.
+    # QT_WAYLAND_DISABLE_WINDOWDECORATION = "1";
+    # WLR_NO_HARDWARE_CURSORS = "1";
+  };
+
+  # This is not really enabling X11, bad naming.
+  services.xserver = {
+    enable = true;
+    displayManager.gdm = {
+      enable = true;
+      wayland = true;
+    };
+  };
+  # This is used to scale the gdm login screen,
+  # try to set it up for fractional scaling in 
+  # the future.
+  # home-manager.users.gdm = { lib, ... }: {
+  #   home.stateVersion = "25.05"; # Do not change!!!
+  #   dconf.settings = {
+  #     "org/gnome/desktop/interface" = {
+  #       scaling-factor = lib.hm.gvariant.mkUint32 2;
+  #     };
+  #   };
+  # };
+
+  # USB devices.
+  services.devmon.enable = true;
+  services.gvfs.enable = true;
+  services.udisks2.enable = true;
 
   # List services that you want to enable:
 
@@ -68,5 +162,5 @@ in
   # Or disable the firewall altogether.
   networking.firewall.enable = false;
 
-  system.stateVersion = "24.11"; # Did you read the comment?
+  system.stateVersion = "25.05"; # Did you read the comment?
 }

hosts/devbox/hardware-configuration.nix

@@ -14,19 +14,17 @@
   boot.extraModulePackages = [ ];
 
   fileSystems."/" =
-    { device = "/dev/disk/by-uuid/67dc8c71-37ca-4340-945a-cfd1befe2aa1";
+    { device = "/dev/disk/by-uuid/66e590ea-a84b-442c-b099-f97a160153f6";
       fsType = "ext4";
     };
 
   fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/9FBA-15AF";
+    { device = "/dev/disk/by-uuid/4419-F037";
       fsType = "vfat";
       options = [ "fmask=0077" "dmask=0077" ];
     };
 
-  swapDevices =
+  swapDevices = [ ];
-    [ { device = "/dev/disk/by-uuid/16fa084b-0350-4416-9597-36010f16011d"; }
-    ];
 
   # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
   # (the default) this is the recommended approach. When using systemd-networkd it's
@@ -34,7 +32,7 @@
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
   # networking.interfaces.enp2s0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

hosts/devbox/home.nix

@@ -1,22 +1,57 @@
-{ inputs, config, pkgs, ssh-agent-switcher, ... } :
+{ lib, inputs, config, pkgs, ssh-agent-switcher, ... } :
-{
+let
+  pathToKeys = ../common/keys/yubi;
+  yubiKeys =
+    lib.lists.forEach (builtins.attrNames (builtins.readDir pathToKeys))
+    (key: lib.substring 0 (lib.stringLength key - lib.stringLength ".pub") key); # Remove .pub suffix.
+  yubikeyPublicKeyEntries = lib.attrsets.mergeAttrsList (
+    lib.lists.map
+      (key: { ".ssh/${key}.pub".source = "${pathToKeys}/${key}.pub"; })
+      yubiKeys
+  );
+in {
 
   imports = [
+    ../../home-modules/hyprland
+
     ../../home-modules/default.nix
-    ../../home-modules/nvim.nix
+    ../../home-modules/direnv.nix
-    ../../home-modules/tmux.nix
+    ../../home-modules/ghostty-config.nix
     ../../home-modules/git.nix
     ../../home-modules/lazygit.nix
+    ../../home-modules/nvim.nix
+    ../../home-modules/sops.nix
+    # ../../home-modules/ssh-client.nix
     ../../home-modules/starship.nix
-    ../../home-modules/direnv.nix
+    ../../home-modules/tmux.nix
     ../../home-modules/zsh.nix
   ];
 
+  ghostty.font-size = "16";
+  ghostty.window-decoration = false;
+
   home = {
     username = "jmug";
     homeDirectory = "/home/jmug";
 
     packages = with pkgs; [
+      # Media
+      loupe
+      vlc
+      # Audio
+      wireplumber
+      spotify-player
+      # Secret management.
+      age
+      sops
+      # Browsers
+      ungoogled-chromium
+      # Coms
+      (webcord.override { electron = inputs.nixpkgs-electron-32.legacyPackages."aarch64-linux".electron; })
+      whatsie
+      obs-studio
+
+      # Misc
       zig
       neofetch
       fzf
@@ -25,20 +60,28 @@
       git
       wget
       exercism
-      # Thin provisioning tools
-      thin-provisioning-tools
     ];
 
-    stateVersion = "24.11";
+    file = {} // yubikeyPublicKeyEntries;
+
+    pointerCursor = {
+      gtk.enable = true;
+      x11.enable = true;
+      hyprcursor.enable = true;
+      name = "Posy_Cursor_Black";
+      package = pkgs."posy-cursors";
+    };
+
+    stateVersion = "25.05";
   };
 
   programs.zsh = {
     shellAliases = {
       # TODO BEGIN Interpolate the name of the host here.
-      flakeconf = "sudo nvim /etc/nixos/flake.nix";
+      # flakeconf = "sudo nvim /etc/nixos/flake.nix";
-      nosconf = "sudo nvim /etc/nixos/hosts/devbox/configuration.nix";
+      # nosconf = "sudo nvim /etc/nixos/hosts/devbox/configuration.nix";
-      homeconf = "sudo nvim /etc/nixos/hosts/devbox/home.nix";
+      # homeconf = "sudo nvim /etc/nixos/hosts/devbox/home.nix";
-      nvconf = "sudo nvim /etc/nixos/home-modules/explicit-configs/nvim/init.lua";
+      # nvconf = "sudo nvim /etc/nixos/home-modules/explicit-configs/nvim/init.lua";
       # TODO END Interpolate the name of the host here.
       rshellconf = "source ~/.zshrc";
       # TODO: Interpolate the name of the host here.
@@ -61,6 +104,24 @@
   programs.ssh = {
     enable = true;
     addKeysToAgent = "confirm";
+    matchBlocks = {
+      "git" = {
+        host = "github.com";
+        user = "git";
+        identityFile = [
+          "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys.
+          "/home/jmug/.ssh/id_jmug" # Fallback key with passphrase.
+        ];
+      };
+      "forgejo" = {
+        host = "code.jmug.me";
+        user = "forgejo";
+        identityFile = [
+          "/home/jmug/.ssh/id_yubikey" # Auto updated symlik that matches all yubikeys.
+          "/home/jmug/.ssh/id_jmug" # Fallback key with passphrase.
+        ];
+      };
+    };
     # matchBlocks = {
     #   alarm = {
     #     user = "alarm";

modules/nixos/yubikey/default.nix

@@ -157,9 +157,9 @@ in
         };
       };
       services = {
-        login.u2fAuth = true;
+        login.u2fAuth = config.yubikey.enable-u2f-auth;
         sudo = {
-          u2fAuth = true;
+          u2fAuth = config.yubikey.enable-u2f-auth;
         };
         # Attempt to auto-unlock gnome-keyring using u2f
         # NOTE: vscode uses gnome-keyring even if we aren't using gnome, which is why it's still here

secrets.yaml

@@ -11,29 +11,38 @@ sops:
         - recipient: age1psyctjy329r9v07uqu72vkjl06f26f0epvh6zxejdkwp3m0tnyvq88rnr4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTStDSGFqeFlsVDZzb0ZJ
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXYjZnMW0vM2J1YXZHRS9Z
-            d0Y2SGNvZ1NTODVJRitPdm5LcVVsMWNMWkVJCm5oNDJPdFUwNDMrRTh1Y25Tbkt3
+            YXFwakZWV05qVHBremlHME9KamZmemlsZXh3CkxzaURINVF5UWtCWm5NQUVNdWRu
-            eFlyb3hyOVNid3hpQUFvTWF4S1JKNlUKLS0tIDFYL3dURTNRYzlmZXI2SU9xeDY0
+            OXd0REt3S21HRWdVYzBTUG1nTFRBQmMKLS0tIDhJODZ0OFM4QzlPYlhGT2lScGhT
-            SnYvQ3JHMUM2UzIvVFlSWUI2ZmE1eDgKWgwW46FDQvtgHQrNTiLfJ1K+KiifvJfN
+            d05INzlEUFgzRzZrKzhCSUt5eHRSMWMKMeRv2XewX2VC+gEJrPqBBDTY9Z6uwBUV
-            s8LI1fAcjrQPaDLuNwFt3ddxqHYJaJqmviQpUAY50RUH/CxvLp1ALw==
+            x8hCgD2WQgIYiFGLZy+FsgOhOin4VRIB6u1aTAFQpne81TPCKBIVDQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cfcfye2unv89fgyuwpvy9sas40jd87kksw7rlgy4cwmcfjqntv2st2jcnp
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMVQ4M3lGa1o5V0tzcUhy
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4Y2l4bmxvMUoydTUxeVJV
-            RlhnVkloTmRPNkZlUEQyN1lObWI0YitYM3prCjV1WTRSR3RLemQvcDFVT213YlQr
+            cG53MVBSZTVCdEJVc3lIUG80NUhRR3JHVHg0CktiZG1qQXhObEJlb1l1TXdMWG1K
-            aUJqT0ZrOW54MHI3bEV0bFVyL3E2ZkkKLS0tICsrcklYKzd6Nkx1MXk1aVRkYS9M
+            MFJzTFhkRzBCbHUrVWQyYU9jZTI3bFEKLS0tIEMyTEhxUHVEQ3p2RU1uUFdEQjhm
-            MHFpaGszWG9CbWxUbEVPRnVIcWtBZDAK9PsO4N0T64G4hX6kT9gcg6q9g5JSMDDL
+            OS9jTkVwdWFCRGh4eU9HZkg2bjFKcEUKF5ImHatfTNVrw9hWBTAfCYLSdWaX4eo2
-            Xs7LgZ9M1eB/DJEO5R4ZtcnL9hn4nyEEs+RQfsrXa4hkOS/AZe80DA==
+            ykwh2iK58JT3gXr9WsnWlf7/6VqZV+28eaptL34larbhdVGCgJsKMQ==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1y2kfnx87z2j7te9hu0guderrf2x9m8d0f3gfjjxcdk2va77yj3hsngj2f5
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGQjUxTWJFWi9YcE8vTkVz
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaMHVuUjNyWDdyWlUvMWVq
-            dWNWYm1MZ1hKZmN0SVlJbm9HMWtPTDN1S0dvCml5Uzg3b1hjaHY4d1ptVGNiOFRj
+            ZWxPS0NCYXQwU0lWOGhyc2JmaFpEcWo2eFJrCkJlMHFYUFd3Rk13YTllSktjaWR0
-            K3lIWk5LRGJlRTFDdGlEaWUwcnF4Q2cKLS0tIGVkZ2FUY2l5ZHNnbENVSUlmSWFH
+            N0w2SzcvaW11SjBkL3B5eHAySUoyWDAKLS0tIFgzYmtCcjVkaTZiQXd0NmQ2ckVB
-            YkxFVzllZUNZazlVaksrL25MZWdxbUEKA7MEFMTjgAOXXHTIFo5hImgAZ1Zkrq++
+            OU01OGJUZ0ZIemw3elB0a1NjUXlNODgKyBNUqDdZuwY4Li9C6Bjv38rr/k6kva0u
-            viz9aCwATnlp0uw+Xqg+H2dS6Td47kt8rqXbaD0XJ4+HYydJJUG6Ag==
+            rdr3QPSihgLv4+xaSFlpnK5zpVuSbh02+igKXnB2Pm7876iVxsE9ng==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1208zkkd9hh8n6v9zn6w75x9ajxd798kc4cv53d6qhkx55juflumquyh3ge
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByOE9uYUxYaWt6S3BXTFZM
+            NWRHNm5jVUpsblJaZUo4bjlBK2FHb21nWFJBCk4zRTIzV0laQTJMbUwrNm10eVlr
+            TTByUlVvRytOQ0x4RDUxbzhnN0VCeGMKLS0tIG8zcDdwc01VWmU5THk0RmRLWGhG
+            UjlDQ0Y5QnY4dmlVVFZrM0IyZzlISWcKwpQY9/f1O2v78/9/dCZ7HPE3wVwQ4COG
+            a0E+oMEgBIeQny9LyfhUW2V/HKhYhFNPJaZrNM4J1zL+bz2ucdErmw==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2025-06-19T19:52:49Z"
     mac: ENC[AES256_GCM,data:Fz/3QEoAjJy4psanCwDvIjUFSVDaSK+/Qjyr2M2c7eetv+USDaP1CraXaTK/OwKQfDWdnPHUOqfW1Oj51XJSPPoRlyYjXJxODjVXZfHo/EwnbpJs/81Lx66lYKljgCopFE6y2a7cFkM25g9aehyPhP/zdwULa/EmXcnuIimH8A0=,iv:dniso33D2uf4YUUbbODsbfm2k6dZdWdBTBPvnXTHL34=,tag:89KOctxIJ+lT7xUQR0qetA==,type:str]